GitLab

Frogbot surfaces scan results in GitLab through merge request comments and the JFrog Platform.

Merge Request Decorations

When Frogbot runs a PR scan on a GitLab merge request, it posts comments with details about new security issues introduced by the change. Each comment includes:

• The CVE or finding identifier
• Severity level and CVSS score
• Affected component, version, and fix version (if available)
• Contextual analysis status

Configuring MR Decorations

With centralized configuration, merge request decoration behavior is managed from the JFrog Platform under the PR Decorations tab:

• Show all security finding types — Include both vulnerabilities and policy violations in MR comments.
• Skip comments on merge requests with no security issues — Suppress comments on clean MRs to reduce noise.

JFrog Platform

All GitLab scan results (both MR scans and commit scans) are uploaded to the JFrog Platform and viewable in Xray > Scans List > Git Repositories. See JFrog Platform for details on navigating results, applying policies, and using centralized configuration.

Auto-Fix Merge Requests

When Frogbot runs a commit scan and detects fixable vulnerabilities, it creates a merge request with the necessary dependency upgrades. Auto-fix MR behavior is configured in the JFrog Platform under the Auto-Fix tab:

• Enable or disable auto-fix MR creation
• Group all fixes into a single MR or create one per vulnerability
• Customize branch name, commit message, and MR title templates